ENTERPRISE RISK MANAGEMENT (ERM) FRAMEWORK

Operating in a broad range of geographical product and service markets in the highly competitive and regulated telecommunications industry, Telia Company is subject to a variety of risks and uncertainties. Telia Company has defined risk as anything that could have a material adverse effect on the achievement of Telia Company’s goals. Risks can be threats, uncertainties or lost opportunities relating to Telia Company’s current or future operations or activities. Risks and uncertainties related to business and sustainability as well as to shareholder issues are described in Risks and uncertainties and financial risks in Note C26 to the consolidated financial statements.

Three-line defense − integrated governance, risk management and compliance

Telia Company’s risk management may be illustrated as a three-line defense being an integral part of the group’s operational activities, business planning process and monitoring of business performance. Risks that may pose a threat to achieving business objectives are identified and assessed, and measures are implemented to mitigate and monitor the identified risks. The aim is not only to focus on risks from a negative perspective, but also to acknowledge that successful risk management is essential for strategy execution and sustainable growth.

Enterprise risk management – lines of defense

The defense-line roles and responsibilities include:

  • First-line defense: The line organization owns its operational risks and is responsible and accountable for assessing, controlling and mitigating the risks as well as for internal control activities and assurance
  • Second-line defense: Comprises the group-level enterprise risk management (ERM) function, the group risk area coordinators, the internal controls function within Group Finance, the Group Ethics and Compliance Office and the Governance, Risk, Ethics and Compliance (GREC) meetings
  • Third-line defense: The group internal audit function provides independent assurance on the risk management process and internal control environment. External parties, such as the external auditors and regulatory bodies, provide assurance related to specific statutory requirements, e.g. information presented in the consolidated financial statements or reported to the Swedish Financial Supervisory Authority

Risk management process

As a basis for first-line defense, Telia Company’s group instructions on risk management define roles and responsibilities as well as the main components of the risk management process, which are risk assessment, risk response and continuous monitoring.

Risk management – process flow

The objective of the continuous risk management process is that all risks that may help or hinder the achievement of Telia Company’s objectives are regularly assessed, treated and monitored.

Risk management shall be fully integrated into the business processes. The risk management procedures shall be transparent, feasible and traceable. Management shall ensure that a personal sense of responsibility and common view on and awareness of risk is established among the employees, as well as facilitate accountability for risks in daily decision-making. Risk reporting is integrated into the business planning process and risks shall be reviewed at business reviews and escalated through the line organization.

Quarterly, the Audit Committee and the Board of Directors receive a consolidated risk report, aligned with the Board’s annual work cycle as described in section “Board of Directors.” The consolidated report is divided into four categories:

  • Financial risks
  • Operational and societal risks
  • Strategic and emerging risks
  • Legal and regulatory risks

Under each of these categories, risks are presented either as group-wide or by region with a:

  • Risk description
  • Description of risk mitigating activities and status of execution
  • Potential financial impact when possible
  • Probability grading (low, medium, high and very high risk)

In addition, the Audit Committee quarterly receives a consolidated litigation report with short-form details of ongoing, pending and threatened legal and administrative proceedings. Each case description also includes alleged nominal and estimated financial impact when possible and a probability grading (low, medium and high risk).

Management shall conduct risk and compliance evaluations and assessments proactively, regularly and timely in order to ensure that all employees are aware of and take steps to comply with the relevant requirements. Compliance means conforming to external as well as internal requirements, such as:

  • Applicable legislation and regulation
  • Customer agreements
  • International standards and norms
  • Group policies and group instructions

The most significant risk areas are monitored by the risk management function including the GREC meetings (see sections “Group-level enterprise risk management (ERM) function,” and “Governance, Risk, Ethics and Compliance (GREC) meetings”), the internal controls function within Group Finance (see section “Internal controls over financial reporting”) and the Group Ethics and Compliance Office (see section “Compliance framework and programs”).

Group-level enterprise risk management (ERM) function

The Head of the ERM function, within group function Corporate Development, acts as the owner of the group-common ERM process to ensure a structured approach towards risk management, compliance and reporting within the group. Function responsibilities include to:

  • Own, govern, coordinate and monitor the ERM process to ensure a structured approach towards risk management, compliance and reporting in the group
  • Own the group framework for ERM, policies and instructions within his/her areas of responsibility and to monitor compliance herewith and support group wide implementation
  • Oversee the operational effectiveness of the ERM processes across the group and propose actions for improvement

  • Monitor the risk level as well as the nature of specific risk matters across the group. As part of that responsibility, the CRO will collect and aggregate the respective reports from countries and group functions in order to give the CEO and the Board a consolidated and holistic view on the group’s risk level and individual, material risks
  • Facilitate and organize the governance forum for Risk Management and Compliance (GREC) on group level

Compliance framework and programs

Also supporting first-line defense, Telia Company has established a framework to enable systematic work with compliance issues. The compliance framework consists of eight elements that are founded on a sound and clear tone from the top. It is designed to adhere to international standards and is based on prevent, detect and investigate principles.

Compliance framework

Prioritized risk areas are identified based on risk assessments. The most significant risks are monitored by the Group Ethics and Compliance Office and managed according to the framework through subject-specific compliance programs to ensure consistency and follow-up in implementation and reporting. Currently prioritized risk areas are reflected by the following ongoing programs:

  • Anti-bribery and corruption
  • Freedom of expression
  • Customer privacy
  • Occupational health and safety
  • Responsible procurement
  • Environment

For additional information on the approach and work in the respective area, see Sustainability Work, sections “Sustainability in Telia Company,” “Anti-bribery and corruption,” “Freedom of expression and privacy,” “Customer privacy” and “Occupational health and safety.”

 

GREC MEETING (GROUP LEVEL) - PARTICIPANTS AND RISK CATEGORIES

 

GOVERNANCE, RISK, ETHICS AND COMPLIANCE MEETINGS

 

Governance, Risk, Ethics and Compliance (GREC) meetings

The purpose of the GREC meetings is to act as the primary governing bodies within risk and compliance and to evaluate risk levels and propose risk-mitigation actions. At the GREC meetings, which are held at least quarterly, management meets to update, discuss, decide and follow-up on ongoing activities and initiatives within the different risk areas and sustainability focus areas. The purpose of the GREC meetings is to:

  • Consolidate risk reporting from regions, countries and units
  • Assess country, regional and group wide risks
  • Review risk levels in relation to risk appetite
  • Recommend and decide on risk mitigation actions
  • Escalate and report risks and follow up on mitigation actions
  • Monitor compliance for key risk areas
  • Build risk awareness culture
  • Monitor and respond to non-compliance against internal and external requirements
  • Ensure communication and feed-back to all relevant stakeholders

GREC meetings are held on group, region and country level. On group level, the GREC meeting is chaired by the CEO and consists of Group Executive Management extended with the Head of CEO Office, the Head of ERM, the Chief Ethics and Compliance Officer as well as the Head of Group Internal Audit. The purpose, agenda and participants of local GREC meetings mirror the group-level meetings. For region Eurasia, GREC issues on group level are addressed by a Steering Board, headed by the CEO (for additional information, see section “CEO and Group Executive Management”).

Whistle-blowing process

Speak-Up Line

2016 was the second full year of operations of Telia Company’s Speak-Up Line, the whistle-blowing tool enabling employees and others to anonymously report violations of proper accounting, reporting or internal controls, as well as non-compliance with local laws or breaches of Telia Company’s policies and ethical instructions. Telia Company has a group-wide standard for performing internal investigations. The guiding principle is to ensure that investigations are conducted objectively and impartially; are carried out in a way to swiftly establish the facts with minimum disruption to the business or the personal lives of employees; and to make sure that confidentiality and non-retaliation are respected at all times.

To the reader of this Statement: If you believe there are deficiencies in Telia Company’s financial reporting or if you suspect any misconduct within the Telia Company group, you may report your concerns at: www.speakupline.ethicspoint.com

Speak-Up Line 2016

Number of whistle-blowing case reports during 2016

123

Investigations opened by the Special Investigations Office of Group Ethics and Compliance

35 (27)

Reports related to HR matters (handled jointly with Group HR)

19 (42)

Reports sent for information to other departments (e.g. customer or supplier complaints), or closed after an initial review and response to the whistle-blower concerned (e.g. in cases of ethical reproach)

69 (72)

 

Reporting channel

%

Speak-Up line portal

50

Line managers

18

Direct contact with ethics and compliance officers at group or local level

17

Sent to the Speak-Up Line e-mail address

12

Telia Company’s executive management

2

Share of all reports that was submitted anonymously or by reporters requesting to be anonymous 26 percent (40).

Origins of reports during 2016 (2015)

%

Region Eurasia

56 (74)

Nordics

33 (22)

Other group companies

11 (4)

During 2016, customer complaints or enquiries, conflicts of interest and ethical concerns or reproaches against management were the most commonly reported matters, in particular from region Eurasia. Other significant issues included improper third party relationships, abuse of position, discrimination and harassment. Several suppliers complained about biased tender results. Several employees complained about wrongful termination.

In 2016, 24 (13) investigations were requested by managers. This increase is viewed positively as it shows that employees feel comfortable addressing concerns directly with their managers.

Where allegations were substantiated, 10 (17) disciplinary decisions were taken by the Group Ethics Forum. The majority of the decisions resulted in terminations of employments, but warnings were issued in some cases.

Consolidated case reports were presented to the Audit Committee throughout the year. The reports included allegations of certain significance, progress of investigations and the final results of the investigations. All case closure reports were submitted to the Group Ethics Forum for oversight and decisions on disciplinary action.

Internal investigation KPIs

Target

2016

2015

Whistle-blowing cases closed within eight weeks

80%

83%

72%

Disciplinary decisions implemented within four weeks after Group Ethics Forum decision

100%

70%

53%